Binding SSL certificate to App service using Azure CLI and Keyvault

0
votes

I'm trying to use Azure CLI to configure an Azure app service SSL certificates that are stored in an Azure KeyVault. I'm new to Azure CLI and am having trouble finding a complete set of sample code that does this. I've found documentation / examples of the individual commands, but am having trouble chaining them together. Definitely would appreciate some assitance/guidance as I feel like this is a common scenario.

At first, I thought this was would be a simple 'linking' type command. Certs are already uploaded in keyvault, so Azure App Service, go get 'em, here's the $pfxPassword.

It doesn't look like that is possible. I found some documentation that it looks like you need to download the Cert from the keyvault and then upload it.

It took me a little bit to realize that you don't use az keyvault certificate for this... you need to use az secret download.

I then found some other commands on how to upload the cert, get the thumbprint, and bind the cert to the app Service.

I chained these three commands together, but am not able to get it to work. 

#download the cert
az keyvault secret download --file $fileName --vault-name $vaultName --name $certName;

#upload the cert and get the thumbprint
$thumbprint=az webapp config ssl upload --certificate-file $fileName --certificate-password $pfxPassword --name $site_name --resource-group $ResourceGroupName --query thumbprint --output tsv

#bind the uploaded cert to the app service.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI --name $site_name --resource-group $ResourceGroupName

I can confirm the first command is downloading the cert. (After a while I was able to figure things out import into my win10 development machine -- even though the certs were uploaded into keyvault with a password, downloading them stripped the password out.).

Unfortunately, it looks like the second command (upload and get the thumbprint) REQUIRES a password.

What is the 'correct' way to do this?

Thanks for your guidance/advice.

1
azure-web-app-serviceazure-keyvaultazure-cli
As far as I know, when we use the az keyvault secret download to download pfx file. The file has a blank password. So when running the command az webapp config ssl upload, please set certificate-password as null.Jim Xu
How are you setting this null? I get errors when I use $null, "", no value, or leaving the argument out entirely. az webapp config ssl upload: error: argument --certificate-password: expected one argumentChad Carlton
Is that OK for you? Do you have any other concerns?Jim Xu

1 Answers

0
votes

According to my test, when we use the Azure CLI to download the certificate as pfx file from Azure key vault, it has a blank password. So when we use CLI to upload the pfx file to Azure web app, we can use the following command

az webapp config ssl upload --certificate-file "<pfx file name>"  --name "<web name>" --resource-group "<group name>"  --certificate-password "" --query thumbprint --output tsv

az login

# upload certificate to Azure key vault
az keyvault certificate import --file "E:\Cert\P2SChildCert.pfx" --password "" --name "test1234" --vault-name "testkey08"

# download certificate as pfx file
az keyvault secret download --file "test2.pfx" --vault-name "testkey08" --name "test1234" --encoding base64

# upload the pfx file to Azue web app
az webapp config ssl upload --certificate-file "test2.pfx"  --name "andywebsite" --resource-group "andywebbot"  --certificate-password "" --query thumbprint --output tsv

enter image description here

Besides, if your certificate has been stored in Azure key vault, we can directly import it to Azure web app via Azure Portal. enter image description here